I am attempting to update a resource policy on my API Gateway instance via the CLI and I can't seem to find the right syntax for the JSON. In the documentation it says to use "patch-operations", and from what I understand, it needs a string of JSON for the policy. I have tried minified JSON, escaped JSON, single quotes, no quotes, and nothing seems to work. The documentation doesn't have an example of actual JSON in the value field for patch-operations, so I feel kind of lost.
I have been trying variations of this command:
aws apigateway update-rest-api --rest-api-id abcde123 --patch-operations op=replace,path=/policy,value='{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":"*","Action":"execute-api:Invoke","Resource":"arn:aws:execute-api:region:000000000000:*"},{"Effect":"Deny","Principal":"*","Action":"execute-api:Invoke","Resource":"arn:aws:execute-api:region:000000000000:*","Condition":{"StringNotEquals":{"aws:SourceVpce":["vpce-123456789","vpce-987654321"]}}}]}'
I get an error every time saying:
Error parsing parameter '--patch-operations': Expected: '=', received: '{' for input:
Pertinent documentation here.
Under the Amazon API Gateway service, select APIs . You will see the list of your APIs. Now, click the little cog wheel in the top right corner of the API that you wish to rename... Simply change the name, hit save, and you're good!
Amazon API Gateway resource policies are JSON policy documents that you attach to an API to control whether a specified principal (typically an IAM user or role) can invoke the API. You can use API Gateway resource policies to allow your API to be securely invoked by:
API Gateway builds the full ARN by using the current Region, your AWS account ID, and the ID of the REST API that the resource policy is associated with. You can use execute-api:/* to represent all stages, methods, and paths in the current API.
After a customer subscribes to your SaaS product in AWS Marketplace, you can ask for IP address ranges in the registration information. Then you can enable access to your API from only those IP addresses, making it a secure integration.
Amazon API Gateway provides you with a simple, flexible, secure, and fully managed service that lets you focus on building core business services. API Gateway supports multiple mechanisms of access control using AWS Identity and Access Management (IAM), AWS Lambda authorizers, and Amazon Cognito.
The following command has been tested against my environment - ( using bash)
aws apigateway update-rest-api --rest-api-id %REST_API_ID% --patch-operations op=replace,path=/policy,value='"{\"Version
\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"execute-api:Invoke\",\"Resource
\":\"arn:aws:execute-api:region:000000000000:*\"},{\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"execute-api:Inv
oke\",\"Resource\":\"arn:aws:execute-api:region:000000000000:*\",\"Condition\":{\"StringNotEquals\":{\"aws:SourceVpce\"
:[\"vpce-123456789\",\"vpce-987654321\"]}}}]}"' --region %REGION%
The key is to convert the JSON object to text stringified, I have used this site. Basically, paste your JSON into the input text box and copy the stringified text into the AWS CLI command.
More info here.
Here is an answer for a situation when you have a policy in a file, e.g. policy.json
:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:region:000000000000:*"
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:region:000000000000:*",
"Condition": {
"StringNotEquals": {
"aws:SourceVpce": [
"vpce-123456789",
"vpce-987654321"
]
}
}
}
]
}
Then using jq you can stringify it:
aws apigateway update-rest-api \
--rest-api-id <api-id> \
--patch-operations op=replace,path=/policy,value=$(jq tostring policy.json)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With